"We are pleased to announce the official release of OpenBSD 3.8. This is our 18th release on CD-ROM (and 19th via FTP). We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install. As in our previous releases, 3.8 provides significant improvements, including new features, in nearly all areas of the system."

That's where you would be wrong. In version 2.8 and earlier, it was enabled by default. It was only AFTER the vulnerability occured that they disabled it by default, in the 2.8 install: http://www.openbsd.org/plus28.html

They even disabled fingerd by default in 2.8 as well. They were trying to cover their asses so they could keep making that bogus claim.